© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The Internet of (insecure) Things HP Bad Guy Lair staff #HPProtect

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Agenda

• Introduction • Misconception • The OWASP Internet of Things Top 10 Project • The Internet of Things State of the Union report • Takeaways • Questions

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

26 billion by 2020

• 30 fold increase from 2009 in Internet of

Things install base • Revenue exceeding $300 billion in 2020 • $1.9 trillion in global economic impact

*Gartner Internet of Things Report 2013

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Misconception

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5

Misconception: It’s all about the device and internet

• It’s not just about the device, or the network,

or the clients • There are many surface areas involved • Each of these need to be evaluated

IoT.. XX%

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6

IoT.. XX%

Considerations: A holistic approach is required • All elements need to be considered

– The Internet of Things device – The cloud – The mobile application – The network interfaces – The software – Use of encryption – Use of authentication – Physical security – USB ports

• Enter the OWASP Internet of Things Top Ten Project

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

OWASP Internet of Things Top Ten Project

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8

Internet of Things Top Ten Project: A complete IoT review

• Review all aspects of Internet of Things • Top Ten categories • Covers the entire device • Without comprehensive coverage like this, it

would be like getting your physical but only checking one arm

• We must cover all surface area to get a good assessment of overall security

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The Internet of Things State of the Union report

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10

State of the Union: Devices tested • Tested 10 devices from various Internet of Things areas • TVs, webcams, home thermostats, remote power outlets, sprinkler

controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers

• Tested using the OWASP Internet of Things Top Ten Project which includes assessments of all primary surface areas

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11

State of the Union: Common areas of concern • Privacy • Authorization/authentication • Transport encryption • Web interface • Software/firmware

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12

90% of devices collected at

least one piece of personal information via the device, the cloud or its mobile application.

80% of devices along with their

cloud and mobile application components

failed to require passwords of a sufficient complexity

and length.

70% of devices used

unencrypted network services.

70% of devices along with their

cloud and mobile application enabled an attacker to

identify valid user accounts through account

enumeration.

Six out of 10 devices that provide user

interfaces were vulnerable to a range of issues such as

persistent XSS and weak credentials.

IoT.. XX%

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Takeaways

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

Takeaways: Exciting time for Internet of Things • Manufacturers want their devices to be connected • Consumers want their devices to be connected • Connected devices have many benefits to offer

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15

Takeaways: Dangerous time for Internet of Things • Current security is one dimensional focusing only on one element of Internet of

Things security • Each new connected device brings along it’s own set of vulnerabilities • Attackers will benefit in two ways: 1) getting closer to your data by being on your

network, and 2) gaining a foothold to launch attacks against others

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16

Takeaways: There is hope

• The Internet of Things is early in its life • Security reviews using the OWASP Top Ten Project can detect vulnerabilities for all

aspects of Internet of Things • It’s more important than ever to bake in security and maintain security throughout

the product lifecycle • The OWASP Internet of Things Top Ten Project is here to help (contributions and

suggestions are welcome)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17

Takeaways: Let us help HP Fortify on Demand • Cloud-based application security testing • Both static and dynamic testing, using automated

and manual techniques • Integrates with your SDLC and build environment

to provide critical security checkpoint • Single portal for code uploads and reviewing

results • Announcing The Fortify on Demand Internet of

Things Testing Practice (testing, database of devices tested)

HP Fortify Assessed

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18

For more information

Visit these demos

• Hacking the Internet of Things, DEMO3544

• HP Fortify

After the event

• Visit www.hp.com/go/fortify • Download whitepaper and reports:

HP Internet of Things Blog and Research Study

OWASP Internet of Things Top 10

Your feedback is important to us. Please take a few minutes to complete the session survey.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BGL3620 Speaker HP Bad Guy Lair staff

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.